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Abstract. In 1987 Ernst-Rudiger Olderog provided an operational Petri net se¬ 
mantics for a subset of CCSP, the union of Milner’s CCS and Hoare’s CSP. It 
assigns to each process term in the subset a labelled, safe place/transition net. 
To demonstrate the correctness of the approach, Olderog established agreement 
(1) with the standard interleaving semantics of CCSP up to strong bisimulation 
equivalence, and (2) with standard denotational interpretations of CCSP opera¬ 
tors in terms of Petri nets up to a suitable semantic equivalence that fully respects 
the causal structure of nets. Eor the latter he employed a linear-time semantic 
equivalence, namely having the same causal nets. 

This paper strengthens (2), employing a novel branching-time version of 
this semantics —structure preserving bisimilarity —that moreover preserves in¬ 
evitability. I establish that it is a congruence for the operators of CCSP. 


1 Introduction 

The system description languages CCS and CSP have converged to one theory of pro¬ 
cesses which—following a suggestion of M. Nielsen—was called “CCSP” in 12^ . The 
standard semantics of this language is in terms of labelled transition systems modulo 
strong bisimilarity, or some coarser semantic equivalence. In the case of CCS, a labelled 
transition system is obtained by taking as states the closed CCS expressions, and as tran¬ 
sitions those that are derivable from a collection of rules by induction on the structure 
of these expressions this is called a (structural) operational semantics 1^ . The 
semantics of CSP was originally given in quite a different way OI20L but ll28l provided 
an operational semantics of CSP in the same style as the one of CCS, and showed its 
consistency with the original semantics. 

Such semantics abstract from concurrency relations between actions by reducing 
concurrency to interleaving. An alternative semantics, explicitly modelling concurrency 
relations, requires models like Petri nets 13^ or event structures 1251361 . In 0361211 
non-interleaving semantics for variants of CCSP are given in terms of event structures. 
However, infinite event structures are needed to model simple systems involving loops, 
whereas Petri nets, like labelled transition systems, offer finite representations for some 
such systems. Denotational semantics in terms of Petri nets of the essential CCSP op¬ 
erators are given in 0181351160 —see lIZTl for more references. Yet a satisfactory deno¬ 
tational Petri net semantics treating recursion has to my knowledge not been proposed. 
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Olderog M26I27I closed this gap by giving an operational net semantics in the style 
of II30I24I for a subset of CCSP including recursion—to be precise: guarded recursion. 
To demonstrate the correctness of his approach, Olderog proposed two fundamental 
properties such a semantics should have, and established that both of them hold lIZTl : 

- Retrievability. The standard interleaving semantics for process terms should be re¬ 
trievable from the net semantics. 

- Concurrency. The net semantics should represent the intended concurrency of pro¬ 
cess terms. 

The second requirement was not met by an earlier operational net semantics from 0. 

To formalise the first requirement, Olderog notes that a Petri net induces a labelled 
transition system through the firing relation between markings—the interleaving case 
graph —and requires that the interpretation of any CCSP expression as a state in a la¬ 
belled transition system through the standard interleaving semantics of CCSP should be 
strongly bisimilar to the interpretation of this expression as a marking in the interleaving 
case graph induced by its net semantics. 

To formalise the second requirement, he notes that the intended concurrency of 
process terms is clearly represented in the standard denotational semantics of CCSP 
operators 0181351161 . and thus requires that the result of applying a CCSP operator to 
its arguments according to this denotational semantics yields a similar result as doing 
this according to the new operational semantics. The correct representation of recursion 
follows from the correct representation of the other operators through the observation 
that a recursive call has the very same interpretation as a Petri net as its unfolding. 

A crucial parameter in this formalisation is the meaning of “similar”. A logical 
choice would be semantic equivalence according to one of the non-interleaving equiv¬ 
alences found in the literature, where a finer or more discriminating semantics gives a 
stronger result. To match the concurrency requirement, this equivalence should respect 
concurrency, in that it only identifies nets which display the same concurrency rela¬ 
tions. In this philosophy, the semantics of a CCSP expression is not so much a Petri 
net, but a semantic equivalence class of Petri nets, i.e. a Petri net after abstraction from 
irrelevant differences between nets. For this idea to be entirely consistent, one needs to 
require that the chosen equivalence is a congruence for all CCSP constructs, so that the 
meaning of the composition of two systems, both represented as equivalence classes of 
nets, is independent of the choice of representative Petri nets within these classes. 

Instead of selecting such an equivalence, Olderog instantiates “similar” in the above 
formalisation of the second requirement with strongly bisimilar, a new relation between 
nets that should not be confused with the traditional relation of strong bisimilarity 
between labelled transition systems. As shown in HI, strong bisimilarity fails to be 
an equivalence: it is reflexive and symmetric, but not transitive. 

As pointed out in llTTl Page 37] this general shortcoming of strong bisimilarity “does 
not affect the purpose of this relation” in that book: there it “serves as an auxiliary no¬ 
tion in proving that structurally different nets are causally equivalent”. Here causal 
equivalence means having the same causal nets, where causal nets II29I34II model con¬ 
current computations or executions of Petri nets. So in effect Olderog does choose a 
semantic equivalence on Petri nets, namely having the same concurrent computations 
as modelled by causal nets. This equivalence fully respects concurrency. 
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1.1 Structure preserving bisimilarity 

The contribution of the present paper is a strengthening of this choice of a semantic 
equivalence on Petri nets. I propose the novel structure preserving bisimulation equiv¬ 
alence on Petri nets, and establish that the result of applying a CCSP operator to its ar¬ 
guments according to the standard denotational semantics yields a structure preserving 
bisimilar result as doing this according to Olderog’s operational semantics. The latter 
is an immediate consequence of the observation that structure preserving bisimilarity 
between two nets is implied by Olderog’s strong bisimilarity. 
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Fig. 1. A spectrum of semantic equivalences on Petri nets 

Figure [T] shows a map of some equivalence relations on nets found in the literature, 
in relation to the new structure preserving bisimilarity, t±sp- The equivalences become 
finer when moving up or to the right; thus coarser or less discriminating when follow¬ 
ing the arrows. The rectangle from K,it to is taken from ifTOll . The vertical axis is 
the linear time - branching time spectrum, with trace equivalence at the bottom and 
(strong) bisimulation equivalence, or bisimilarity, at the top. A host of intermediate 
equivalences is discussed in HD. The key difference is that linear time equivalences, 
like trace equivalence, only consider the set of possible executions of a process, whereas 
branching time equivalences, like bisimilarity, additionally take into account at which 
point the choice between two executions is made. The horizontal axis indicates to what 
extent concurrency information is taken into account. Interleaving equivalences—on 
the left—fully abstract from concurrency by reducing it to arbitrary interleaving; step 
equivalences additionally take into account the possibility that two concurrent actions 
happen at exactly the same moment; split equivalences recognise the beginning and end 
of actions, which here are regarded to be durational, thereby capturing some informa¬ 
tion about their overlap in time; ST- or interval equivalences fully capture concurrency 
information as far as possible by considering durational actions overlapping in time; and 
partial order equivalences capture the causal links between actions, and thereby all con¬ 
currency. By taking the product of these two axes, one obtains a two-dimensional spec¬ 
trum of equivalence relations, with entries like interleaving bisimulation equivalence 
and partial order trace equivalence For the right upper corner several par¬ 
tial order bisimulation equivalences were proposed in the literature; according to 113 
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the history preserving bisimulation equivalence Ri/j, originally proposed by ll^ . is the 
coarsest one that fully captures the interplay between causality and branching time. 

The causal equivalence employed by Olderog, =caus, is a linear time equivalence 
strictly finer than sapt. Since it preserves information about the number of preplaces 
of a transition, it is specific to a model of concurrency based on Petri nets; i.e. there 
is no obvious counterpart in terms of event structures. I found only two equivalences 
in the literature that are finer than both =caus and sa/j, namely occurrence net equiva¬ 
lence ifTbl — =occ —and the place bisimilarity Kipb of (H]. Two nets are occurrence net 
equivalent iff they have isomorphic unfoldings. The unfolding, defined in ||25l, asso¬ 
ciates with a given safe Petri net N a loop-free net—an occurrence net —that combines 
all causal nets of N, together with their branching structure. This unfolding is simi¬ 
lar to the unfolding of a labelled transition system into a tree, and thus the interleaving 
counterpart of occurrence net equivalence is tree equivalence im , identifying two tran¬ 
sition systems iff their unfoldings are isomorphic. The place bisimilarity was inspired 
by Olderog’s strong bisimilarity, but adapted to make it transitive, and thus an equiva¬ 
lence relation. My new equivalence i±sp will be shown to be strictly coarser than =occ 
and Ripb, yet finer than both =caus ^h- 

The equivalences discussed above (without the diagonal line in Figure [Til are all 
defined on safe Petri nets. Additionally, the definitions generalise to unsafe Petri nets. 
However, there are two possible interpretations of unsafe Petri nets, called the collec¬ 
tive token and the individual token interpretation ina, and this leads to two versions of 
history preserving bisimilarity. The history preserving bisimilarity based on the indi¬ 
vidual token interpretation was first defined for Petri nets in (jU, under the name/MZ(y 
concurrent bisimulation equivalence. At the level of ST-semantics the collective and in¬ 
dividual token interpretations collapse. The unfolding of unsafe Petri nets, and thereby 
occurrence net equivalence, has been defined for the individual token interpretation only 
ll7l23TT2l , and likewise causal equivalence can be easily generalised within the individ¬ 
ual token interpretation. The new structure preserving bisimilarity falls in the individual 
token camp as well. 

1.2 Criteria for choosing this semantic eqnivalence 

In selecting a new semantic equivalence for reestablishing Olderog’s agreement of op¬ 
erational and denotational interpretations of CCSP operators, I consider the following 
requirements on such a semantic equivalence (with subsequent justifications): 

1. it should be a branching time equivalence, 

2. it should fully capture causality relations and concurrency (and the interplay be¬ 
tween causality and branching time), 

3. it should respect inevitability ll22l . meaning that if two systems are equivalent, and 
in one the occurrence of a certain action is inevitable, then so is it in the other, 

4. it should be real-time consistent m, meaning that for every association of execu¬ 
tion times to actions, assuming that actions happen as soon as they can, the running 
times associated with computations in equivalent systems should be the same, 

5. it should be preserved under action refinement 1141 13L meaning that if in two equiv¬ 
alent Petri nets the same substitutions of nets for actions are made, the resulting 
nets should again be equivalent. 
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6. it should be finer than Olderog’s causal equivalence, 

7. it should not distinguish systems whose behaviours are patently the same, such as 
Petri nets that differ only in their unreachable parts, 

8. it should be a congruence for the constructs of CCSP, 

9. and it should allow to establish agreement between the operational and denotational 
interpretations of CCSP operators. 

Requirement 1 is the driving force behind this contribution. It is motivated by the insight 
that branching time equivalences better capture phenomena like deadlock behaviour. 
Since in general a stronger result on the agreement between operational and denota¬ 
tional semantics is obtained when employing a finer semantics, I aim for a semantics 
that fully captures branching time information, and thus is at least as discriminating as 
interleaving bisimilarity. 

Requirement 2 is an obvious choice when the goal of the project is to capture con¬ 
currency explicitly. The combination of Requirements 1 and 2 then naturally asks for an 
equivalence that is at least as fine as w/j. One might wonder, however, for what reason 
one bothers to define a semantics that captures concurrency information. In the litera¬ 
ture, various practical reasons have been given for preferring a semantics that (partly) 
respects concurrency and causality over an interleaving semantics. Three of the more 
prominent of these reasons are formulated as requirements 3, 4 and 5 above. 

Requirement 3 is manifestly useful when considering liveness properties of systems. 
Requirement 4 obviously has some merit when timing is an issue. Requirement 5 is 
useful in system design based on stepwise refinement ifTSll . 

Requirement 6 is only there so that I can truthfully state to have strengthened 
Olderog’s agreement between the denotational and operational semantics, which was 
stated in terms of causal equivalence. This requirement will not be needed in my justi¬ 
fication for introducing a new semantic equivalence—and neither will Requirement 2. 

Requirement 7 is hardly in need of justification. The paper HI lists as a desirable 
property of semantic equivalences—one that is not met by their own proposal ~pb— 
that they should not distinguish nets that have isomorphic unfoldings, given that un¬ 
folding a net should not be regarded as changing it behaviour. When working within 
the individual token interpretation of nets I will take this as a suitable formalisation of 
Requirement 7. 

The argument for Requirement 8 has been given earlier in this introduction, and 
Requirement 9 underlies my main motivation for selecting a semantic equivalence in 
the first place. 


1.3 Applying the criteria 

Table [1] tells which of these requirements are satisfied by the semantic equivalences 
from Section [TTT] (not considering the one collective token equivalence there). The first 
two rows, reporting which equivalences satisfy Requirements 1 and 2, are well-known; 
these results follow directly from the definitions. The third row, reporting on respect for 
inevitability, is a contribution of this paper, and will be discussed in Section 11.41 and 
delivered in Sections [TTI - [T4l 
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Table 1. Which requirements are satisfied by the various semantic equivalences 


Equivalence 

Requirement 
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Regarding Row 4, In ifT^ it is established that ST-bisimilarity is real-time consis¬ 
tent. Moreover, the formal definition is such that if a semantic equivalence « is real¬ 
time consistent, then so is any equivalence finer than w. Linear time equivalences are 
not real-time consistent, and neither is f« 2 b Ull- 

In ifTSl it is established that Ript and Kih are preserved under action refinement, 
but interleaving and step equivalences are not, because they do not capture enough 
information about concurrency. In ifTol it is shown that f^sTt and «sTb are already 
preserved under action refinement, whereas by iflTl split semantics are not. I conjecture 
that =caus and =occ are also preserved under action refinement, but I have not seen a 
formal proof. I also conjecture that the new i±sp is preserved under action refinement. 

Rows 6 and 7 follow as soon as I have formally established the implications of 
Figure[T|(in SectionfToli. As for Row 8,1 will show in Section |7] that t±sp is a congru¬ 
ence for the operators of CCSP. That also and Kin, are congruences for CCSP is 
well known. The positive results in Row 9 follow from the fact that Olderog’s strong 
bisimilarity implies t±sp, which will be established in Section|6l 

Requirements 1 and 6 together limit the search space for suitable equivalence re¬ 
lations to =occ, ^pb and the new t±sp. When dropping Requirement 6, but keeping 
2, also becomes in scope. When also dropping 2, but keeping 4, I gain ^^sTb as a 
candidate equivalence. However, both and f^sTb will fall pray to Requirement 3, so 
also without Requirements 2 and 6 the search space will be limited to =occ, ^pb and 
the new iigp. 

Requirement 7 rules out Kip},, as that equivalence makes distinctions based on un¬ 
reachable parts of nets IT]. The indispensable Requirement 9 rules out =occ, since that 
equivalence distinguishes the operational and denotational semantics of the CCSP ex¬ 
pression aO + aO. According to the operational semantics this expression has only one 
transition, whereas by the denotational semantics it has two, and =occ does not collapse 
identical choices. The same issue plays in interleaving semantics, where the operational 
and denotational transition system semantics of CCSP do not agree up to tree equiva¬ 
lence. This is one of the main reasons that bisimilarity is often regarded as the top of 
the linear time - branching time spectrum. 

This constitutes the justification for the new equivalence i±sp- 
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1.4 Inevitability 

The meaning of Requirement 3 depends on which type of progress or fairness property 
one assumes to guarantee that actions that are due to occur will actually happen. Lots of 
fairness assumption are mentioned in the literature, but, as far as I can tell, they can be 
classified in exactly 4 groups; progress, justness, weak fairness and strong fairness Ha. 
These four groups form a hierarchy, in the sense that one cannot consistently assume 
strong fairness while objecting to weak fairness, or justness while objecting to progress. 

Strong and weak fairness deal with choices that are offered infinitely often. Suppose 
you have a shop with only two customers A and B that may return to the shop to buy 
something else right after they are served. Then it is unfair to only serve customer 
A again and again, while B is continuously waiting to be served. In case B is not 
continuously ready to be served, but sometimes goes home to sleep, yet always returns 
to wait for his turn, it is weakly fair to always ignore customer B in favour of A, but 
not strongly fair. 

Weak and strong fairness assumptions can be made locally, pertaining to some re¬ 
peating choices of the modelled system but not to others, or globally, pertaining to all 
choices of a given type. Since the real world is largely unfair, strong and weak fairness 
assumptions need to be made with great caution, and they will not appear in this paper. 

Justness and progress assumptions, on the other hand, come only in the global vari¬ 
ant, and can be safely assumed much more often. A progress assumption says that if a 
system can do some action (that is not contingent on external input) it will do an action. 
In the example of the shop, if there is a customer continuously ready to be served, and 
the clerk stands pathetically behind the counter staring at the customer but not serving 
anyone, there is a failure of progress. Without assuming progress, no action is inevitable, 
because it is always possible that a system will remain in its initial state without ever 
doing anything. Hence the concept of inevitability only makes sense when assuming at 
least progress. 

Justness HUS) says roughly that if a parallel component can make progress (not 
contingent on input from outside of this component) it will do so. Suppose the shop has 
two counters, each manned by a clerk, and, whereas customer A is repeatedly served 
at counter 1, customer B is ready to be served by counter 2, but is only stared at by a 
pathetic clerk. This is not a failure of progress, as in any state of the system someone will 
be served eventually. Yet it counts as a failure of justness. In the context of Petri nets, 
a failure of justness can easily be formalised as an execution, during which, from some 
point onwards, all preplaces of a given transition remain marked, yet the transition never 
fires m. One could argue that, when taking concurrency seriously, justness should be 
assumed whenever one assumes progress. 

Inevitability can be easily expressed in temporal logics like LTL OTI or CTL lb), 
and it is well known that strongly bisimilar transition systems satisfy the same tem¬ 
poral formulas. This suggests that interleaving bisimilarity already respects inevitabil¬ 
ity. However, this conclusion is warranted only when assuming progress but not just¬ 
ness, or perhaps also when assuming some form of weak or strong fairness. The sys¬ 
tem C := {X\X = aX + hX) —using the CCSP syntax of Section |2] —^repeatedly 
choosing between the actions a and b, is interleaving bisimilar to the system D := 
(Y\Y = aY)\\{Z\Z = hZ), which in parallel performs infinitely many as and infinitely 
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many bs. Yet, when assuming justness but not weak fairness, the execution of the action 
b is inevitable in D, but not in C. This shows that when assuming justness but not weak 
fairness, interleaving bisimilarity does not respect inevitability. The paper f22\ . which 
doesn’t use Petri nets as system model, leaves the precise formulation of a justness as¬ 
sumption for future work—this task is undertaken in the different context of CCS in 
ca. Also, respect of inevitability as a criterion forjudging semantic equivalences does 
not occur in ll22l . even though “the partial order approach” is shown to be beneficial. 

In this paper, assuming justness but not strong or weak fairness, I show that neither 
Kifi nor =caus respects inevitability (using infinite nets in my counterexample). Hence, 
respecting concurrency appears not quite enough to respect inevitability. Respect for 
inevitability, like real-time consistency, is a property that holds for any equivalence 
relation finer than one for which it is known to hold already. So also none of the ST- or 
interleaving equivalences respects inevitability. I show that the new equivalence tisp 
respects inevitability. This makes it the coarsest equivalence of Figured] that does so. 

2 CCSP 

CCSP is parametrised by the choice of an infinite set Act of actions, that I will assume 
to be fixed for this paper. Just like the version of CSP from Hoare ll20l . the version of 
CCSP used here is a typed language, in the sense that with every CCSP process P an 
explicit alphabet a{P) C Act is associated, which is a superset of the set of all actions 
the process could possibly perform. This alphabet is exploited in the definition of the 
parallel composition P\\Q: actions in the intersection of the alphabets of P and Q are 
required to synchronise, whereas all other actions of P and Q happen independently. 
Because of this, processes with different alphabets may never be identified, even if they 
can perform the same set of actions and are alike in all other aspects. It is for this reason 
that I interpret CCSP in terms of typed Petri nets, with an alphabet as extra component. 

I also assume an infinite set V of variable names. A variable is a pair Xj^ with 
X €V and A C Act. The syntax of (my subset of) CCSP is given by 

P-.— Oa \ aP \ P + P \ P\\P I R{P) I Xa I (Xa| 5) (withXAeCs) 

with A C Act, a € Act, R C Act x Act, X € V and S a recursive specification: a set 
of equations {Yb = Syb I Yb & Vs} with Vs V V x Act (the bound variables of S) 
and Syb ^ CCSP expression satisfying a(iSY^) = B for all Yb & Vs (were aiSYs) 
is defined below). The constant Oa represents a process that is unable to perform any 
action. The process aP first performs the action a and then proceeds as P. The process 
P + Q will behave as either P or Q, || is a partially synchronous parallel composition 
operator, R a renaming, and (X^|<S) represents the X. 4 -component of a solution of the 
system of recursive equations S. A CCSP expression P is closed if every occurrence of 
a variable Xa occurs in a subexpression (Yb| iS) of P with Xa € Vb- 

The constant 0 and the variables are indexed with an alphabet. The alphabet of an 
arbitrary CCSP expression is given by: 

- a(0A) = a{XA) = a{{XA\S}) = A 

- a(aP) = {a} U a(P) 
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Table 2. Structural operational interleaving semantics of CCSP 



- a{P + Q)= a{P\\Q) = a{P) U a{Q) 

- a{R{P)) = {6 I 3a S a{P) : (a, b) G R}. 

Substitutions of expressions for variables are allowed only if the alphabets match. For 
this reason a recursive specification S is declared syntactically incorrect if a^Sys) B 
for some Yb&Vs- The interleaving semantics of CCSP is given by the labelled transition 
relation C Tccsp x Act x Tccsp on the set Tccsp of closed CCSP terms, where 
the transitions P Q (on arbitrary CCSP expressions) are derived from the rules 
of Table |2] Here (F’liS) for P an expression and <S a recursive specification denotes 
the expression P in which {YbISyj^) has been substituted for the variable Yb for all 
Yb e Cs- 

A CCSP expression is well-typed if for any subexpression of the form aP one has 
a G a{P) and for any subexpression of the form P Q one has a{P) = a{Q). Thus 
aO{(j} + bXni is not well-typed, although the equivalent expression aO{a -P bX^g^ is. 
A recursive specification (X. 4 |<S) is guarded if each occurrence of a variable Yb € Vs 
in a term Szc for some ZcGVs lays within a subterm of Szc of the form aP. Following 
CTll henceforth only consider well-typed CCSP expressions with guarded recursion. 

In Olderog’s subset of CCSP, each recursive specification has only one equation, 
and renamings must be functions instead of relations. Here I allow mutual recursion and 
relational renaming, where an action may be renamed into a choice of several actions— 
or possibly none. This generalisation does not affect any of the proofs in lIZTl . 

Example 1. The behaviour of the customer from Section 11.41 could be given by the 
recursive specification iScus^ 

CuScm = enter buy leave CuScu 

indicating that the customer keeps coming back to the shop to buy more things. Here 
enter, buy, leave € Act and Cus GC. The customer’s alphabet Cu is {enter, buy, leave}. 
Likewise, the behaviour of the store clerk could be given by the specification iSclk^ 

CLKci = serve ChKci 

where Cl = {serve}. The CCSP processes representing the customer and the clerk, with 
their reachable states and labelled transitions between them, are displayed in Figure 
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(Cuscu|5c us) 


enter 


buy 

buy leave (CuScu|<Scus) 


leave 

leave (CuScu|>Scus) 



(CLKci|«ScLK) \ serve 


Fig. 2. Labelled transition semantics of customer and clerk 


In order to ensure that the parallel composition synchronises the Itwy-action of the cus¬ 
tomer with the serve-action of the clerk, I apply renaming operators i?cus and Rclk 
with Rcvs{buy) = serves and i?CLK(serve) = serves and leaving all other actions un¬ 
changed, where serves is a joint action of the renamed customer and the renamed clerk. 
The total CCSP specification of a store with one clerk and one customer is 

f?Cus ((CUS Cu I ^cus)) 11 Rclk ( (CLK Ci I 5 clk )) 
and the relevant part of the labelled transition system of CCSP is displayed below. 


f^Cus((CUScu|>Scus))ll-RcLK((CLKCT|5cLK)) 

^\^leave 

enter Rcvs{leave {CuSc<*|<Scus>)||f?CLK((CLKci|<ScLK)) 

servesy^ 

Rcvs{bny leave (CuSc'ii|5cus))ll-RcLK((CLKc'i|iScLK}) 


Fig. 3. Labelled transition semantics of the 1-customer 1-clerk store 


One possible behaviour of this system is the sequence of actions enter serves leave 
enter, followed by eternal stagnation. This behaviour is ruled out by the progress as¬ 
sumption of Section 11.41 The only behaviour compatible with this assumption is the 
infinite sequence of actions {enter serves leave)°°. 

To model a store with two customers (A and B) and 2 clerks (I and II), I introduce 
a relational renaming for each of them, defined by 

RA{enter) = A enters RA{buy) = {I serves A, IIserves A} RA{leave) = A leaves 
Rb {enter) = B enters RB{buy) = {\ serves B serves B) Rb {leave) = B leaves 
i?i (serve) = {I serves A, I serves B} 
i?n(serve) = {II serv'es A, II servesS}. 

The CCSP specification of a store with two clerks and two customers is 

{Ra{{CVScu\Scus))\\Rb{{CVScu\Scus))) II (f?l((CLKci|5cLK))||f?Il((CLKci|5cLK))) 

and the part of the labelled transition system of CCSP reachable from that process has 
3x3xlxl = 9 states and 6 x 4 = 24 transitions. 
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3 Petri nets 

A multiset over a set 5” is a function C: S' —>■ IN, i.e. C € IN'^; let \C\ := 
a; S S is an element of C, notation x € C, iff C{x) > 0. 

The function 0: S —?> IN, given by 0(x) := 0 for all x € S, is the empty multiset over S. 
For multisets C and D over S one writes C < Z? iff C{x) < D{x) for all x € S; 

C n I? denotes the multiset over S with (C fl D){x) := min(C'(x), Dix)), 

C + D denotes the multiset over S with {C + D)(x) := C{x) + D{x)', and 
the multiset C — D is only defined if D < C and then {C — D){x) := C{x) — Dix). 
A multiset C with C(x) < 1 for all x is identified with the (plain) set {x \ C{x) = 1}. 
The construction C := {f{xi, x„) | Xi G Di} of a set C out of sets Di (i = 1, n) 
generalises naturally to multisets C and Di, taking the multiplicity C(x) of an element 
Xtoh&Y.f{x^,...,Xr,)=x Dl{xi) ■ ...-DniXn). 

Definition 1. A (typed) Petri net is a tuple N = (S, T, F, Mq, A, £) with 

- S and T disjoint sets (of places and transitions), 

- F : ((S X T) U (T X S)) —>■ IN (the^ow relation including arc weights), 

- Mq : S —>■ in (the initial marking), 

- A a set of actions, the type of the net, and 

- i : T A (the labelling function). 

Petri nets are depicted by drawing the places as circles and the transitions as boxes, 
containing their label. Identities of places and transitions are displayed next to the net 
element. For x,y G S U T there are F{x, y) arrows (arcs) from x to y. When a Petri 
net represents a concurrent system, a global state of this system is given as a marking, 
a multiset M of places, depicted by placing M{s) dots (tokens) in each place s. The 
initial state is Mq. 

The behaviour of a Petri net is defined by the possible moves between markings 
M and M', which take place when a transition t fires. In that case, t consumes F{s, t) 
tokens from each place s. Naturally, this can happen only if M makes all these tokens 
available in the first place. Moreover, t produces F{t, s) tokens in each place s. Defini- 
tion|2]formalises this notion of behaviour. 

Definition 2. Let N = (S, T, F, Mq, A, i) be a Petri net and x G S L)T. The multisets 
*x, X*: SL)T —IN are given by *x(y) = F(y, x) andx*(y) = F(x, y) for all ySS'UT; 
for t gT, the elements of and t* are called pre- and postplaces of t, respectively. 
Transition t GT is enabled from the marking M G IN'®—notation M[t )—if < M. 
In that case firing t yields the marking M' := M — + t* —notation M[t)M'. 

A path TT of a Petri net N is an alternating sequence MQt\Mit 2 M 2 tQ ... of markings 
and transitions, starting from the initial marking Mq and either being infinite or ending 
in a marking M„, such that Mk\tk)AIk+i for all k (<n). A marking is reachable if it 
occurs in such a path. The Petri net N is safe if all reachable markings M are plain sets, 
meaning that M{s) < 1 for all places s. It has bounded parallelism ifTbl if there is no 
reachable marking M and infinite multiset of transitions U such that 
this paper I consider Petri nets with bounded parallelism only, and call them nets. 
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4 An operational Petri net semantics of CCSP 

This section recalls the operational Petri net semantics of CCSP, given by Olderog 
II26I27I . It associates a net [P] with each closed CCSP expression P. 

The standard operational semantics of CCSP, presented in Section|2] yields one big 
labelled transition system for the entire languageOl Each individual closed CCSP ex¬ 
pression P appears as a state in this LTS. If desired, a process graph —an LTS enriched 
with an initial state—for P can be extracted from this system-wide LTS by appointing 
P as the initial state, and optionally deleting all states and transitions not reachable from 
P. In the same vein, an operational Petri net semantics yields one big Petri net for the 
entire language, but without an initial marking. I call such a Petri net unmarked. Each 
process P € Tccsp corresponds with a marking dex{P) of that net. If desired, a Petri 
net [P] for P can be extracted from this system-wide net by appointing dex{P) as its 
initial marking, taking the type of [PJ to be a{P), and optionally deleting all places 
and transitions not reachable from dex{P). 

The set S'ccsp of places in the net is the smallest set including: 

Oa inaction aP prefixing p, + v choice 

p\\a left parallel component a\\p right component R{p) renaming 

for A C Act, P G TccsPj a S ^ £ <S'ccsp renamings R. The mapping 

dex : Tccsp ■^(5'ccsp) decomposing and expanding a process expression into a 
set of places is inductively defined by: 

dex{0A) = {Oa} 

dex{aP) = {aP} dex{R{P)) = R{dex{P)) 

dex{P + Q) = dex{P) + dex{Q) dex{{XA\S)) = dex{{SxA\^)) 

dea;(P||Q) = dex{P)\\A A A\\dex{Q) whsK A = a{P) A a{Q). 

Here P[\\a, a\\H, R{H) and H + K for H, KCSccsp are defined element by element; 
e.g. R{H) = {P(/i) I p € H}. The binding matters, so that {a\\H)\\b 7 ^ a\\{H\\b)- 
Since I deal with guarded recursion only, dex is well-defined. 

Eollowing IIZTII . I construct the unmarked Petri net {S, T, F, Act, €) of CCSP with 

5 := S'ccsp^ specifying the triple (P, F, €) as a ternary relation —>■ C IN'^ xAct x INf^. 
An element Ft J of this relation denotes a transition t GT with t{f) = a such that 
’t = H and t* — J. The transitions H J are derived from the rules of Table[3] 

Note that there is no rule for recursion. The transitions of a recursive process (Xa |5) 
are taken care of indirectly by the decomposition dex{{XA\S)) = dex{{SxA\^))’ 
which expands the decomposition of a recursive call into a decomposition of an ex¬ 
pression in which each recursive call is guarded by an action prefix. 

Example!. The Petri net semantics of the 12-customer 2-clerk stor^ from Section |2] is 
displayed in Eigure |4] It is more compact than the 9-state 24-transition labelled tran¬ 
sition system. The name of the bottom-most place is 5 er|| 0 II Rii{serve (CLKci|5cLK)) 
where Ser is the alphabet {I serves A, I serves B, II serx’es A, II serves B}. 

' A labelled transition system (LTS) is given by a set S of states and a transition relation 
T C 5 X .if X S for some set of labels J^. The LTS generated by CCSP has S := Tccsp, 
.if := Act and T := 
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Table 3. Operational Petri net semantics of CCSP 



A progress assumption, as discussed in Section 11.41 disallows runs that stop after 
finitely many actions. So in each run some of the actions from Ser will occur infinitely 
often. When assuming strong fairness, each of those actions will occur infinitely often. 
When assuming only weak fairness, it is possible that II serves A and II serves B will 
never occur, as long as I serves A and I serves B each occur infinitely often, for in such 
a run the actions II serves A and II serves B are not enabled in every state (from some 
point onwards). However, it is not possible that I serves B and II serves B never occur, 
because in such a run, from some point onwards, the action I serves B is enabled in 
every state. 

When assuming justness but not weak fairness, a run that bypasses any two serv¬ 
ing actions is possible, but a run that bypasses I serves B,Yl serves A and llserves B 
is excluded, because in such a run, from some point onwards, the action II serves B is 
perpetually enabled, in the sense that both tokens in its preplaces never move away. 



Fig. 4. Petri net semantics of the 2-customer 2-clerk store 


Olderog 1261271 shows that the Petri net [P] associated to a closed CCSP expres¬ 
sion P is safe, and that all its reachable markings are finite; the latter implies that it 
has bounded parallelism. The following result, from M26I27I . shows that the standard 
interleaving semantics of CCSP is retrievable from the net semantics; it establishes a 
strong bisimulation relating any CCSP expression (seen as a state in a labelled transition 
system) with its interpretation as a marking in the Petri net of CCSP. 
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Theorem 1. There exists a relation between closed CCSP expressions and markings 
in the unmarked Petri net of CCSP, such that 

- P SS dex{P) for each closed, well-typed CCSP expression with guarded recursion, 

- if P^M and P P' then there is a marking M' and transition t with lit) = a, 

M[t)M' and P^M', and 

- if Pt^M and M[t)M' then there is CCSP process P' with P P' and PtiSM'. 

To formalise the concurrency requirement for his net semantics Olderog defines for 
each n-ary CCSP operator op an n-ary operation opj\f on safe Petri nets, inspired by 
proposals from 018I35I16I . and requires that 

( 1 ) lopiPi, . . . , Pn)i ^ Op^f{lPlj,...,lPn}) 

(2) I(X^|5)1 l{SxJS)i 

for a suitable relation ft!. In fact, (2) turns out to hold taking for ft the identity relation. 
He establishes (1) taking for ft a relation he calls strong bisimilarity, whose definition 
will be recalled in Section|6] When a relation = includes ft, and (1) holds for ft, then it 
also holds for =. 

The operations opx' (i.e. for AC Act, aj^f fox Act, Rj^ fox RC Act x Act, 

IIjV' and +j\f) are defined only up to isomorphism, but this is no problem as isomorphic 
nets are strongly bisimilar. The definition is recalled below—it generalises verbatim 
to non-safe nets, except that +_x' is defined only for nets whose initial markings are 
nonempty plain sets. 

Definition 3. Il27l The net 0/i has type A and consists of a single place, initially marked: 
(Oa)a^ := ({O^},0,0,{Oa},A0). 

Given a net N = (S', T, F, M, A, tj and a G Act, take so,ta ^ S LiT. Then the net 
a_sfN is obtained from N by the addition of the fresh place sq and the fresh transition 
ta, labelled a, such that *ta = {so} fa* = M. The type of aj^fN will be A U {a} 
and the initial marking {sq}. 

Given a net N = (S, T, F, M, A, i) and a renaming operator i?(_), the net Rj\fiN) 
has type RiA) := {b C Act \3a G A, (a, h) G R}, the same places and initial marking 
as Ai, and transitions tb for each tGT and hGAct with [lit), b) G R. One has := *f, 
tb* ;= f*, and the label of tb will be b. 

Given two nets Ni = {Si, Ti, Fi,Mi, Ai,£i) (i = 1, 2), their parallel composition 
Ni\\j\rN 2 = (S, T, F, M, A, i) is obtained from the disjoint union of and N 2 by the 
omission of all transitions f of Ti U T 2 with £{t) G Ai D A 2 , and the addition of fresh 
transitions (^ 1 ,^ 2 ) for all pairs ti Gp (i = 1,2) with £i{ti) = .^ 2 (^ 2 ) G Ai D A 2 . Take 

(fi, £ 2 ) = *fi F *^2, (fi, £ 2 ) = fi* + t2*, £{ti, ^ 2 ) = £{ii)^ A := Ai U A 2 . 

Given nets Ni = {Si,Ti, Fi, Mi, Ai, £i) with Mi ^ 0 a plain set {i = 1, 2), the net 
Ni N 2 with type Ai U A 2 is obtained from the disjoint union of Ni and N 2 by 
the addition of the set of fresh places Mi x M 2 —this set will be the initial marking of 
NiFj,fN 2 —and the addition of fresh transitions tf for any tiGp and Ih^K <*tiCMi. 
i{tf)=£,{t), ‘ff = •ti-K + {K X M 2 ), *ff = •t 2 -K+iMi X K) and (ff )* 
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5 Structure preserving bisimulation equivalence 

This section presents structure preserving bisimulation equivalence on nets. 

Definition 4. Given two nets Ni = {Si,Ti,Fi,Mi,Ai,ii), a link is a pair (si, S 2 )&SixS 2 
of places. A linking is a multiset of links; it can be seen as a pair of markings 

with a bijection between them. Let (/) g 1N'®‘ be these markings, given by tti {l){si) = 
EsjgSs ^('S 1 :'S 2 ) for all si G Si and 7r2(/)(s2) = EsigSi Ksi,S 2 ) for all S 2 G S' 2 . 
A structure preserving bisimulation {sp-bisimulation) is a set of linkings, such that 

- if c < Z G and 7ri(c) = *fi for ti G Ti then there are a transition t 2 G T 2 with 

£(^ 2 ) = ^(fi) and 7r2(c) = *^ 2 , and a linking c such that 7ri(c) = fi*, ’^ 2 ( 0 ) = ^ 2 * 
and I := I — c + c G 

- if c < I € ^ and 7r2 (c) = *^2 then there are a ti and a c with the same properties. 
A^i and N 2 are structure preserving bisimilar, notation Ni i±spN 2 , if Ai = A 2 and there 
is a linking I in a structure preserving bisimulation with Mi = tti (Z) and M2 = 1^2 (Z). 

Note that if is an sp-bisimulation, then so is its downward closure {k \ 3Zg.^. k < Z}. 
Moreover, if AS is an sp-bisimulation between two nets, then the set of those linkings 
I G AS for which tti (Z) and 712 (Z) are reachable markings is also an sp-bisimulation. 

If is a set of a links, let B be the set of all linkings that are multisets over B. 

Proposition 1. Structure preserving bisimilarity is an equivalence relation. 

Proof. The relation Id, with Id the identity relation on places, is an sp-bisimulation, 
showing that N N for any net N. 

Given an sp-bisimulation also {Z“^ | I G is an sp-bisimulation, showing 
symmetry of t±sp. 

Given linkings h G k G and Z G write Zi G Zc; Z if there is 

a multiset m G ^^ of triples of places, with fc(si, S2) = '®2 i S3), 

Ks2,S3) = and h{si,S 3 ) = ^ 2 , S 3 ). Now, for sp- 

bisimulations and also := {h€k]l \ fcG.^AZG,^'} is an sp-bisimulation, 

showing transitivity of t±sp- □ 


6 Strong bisimilarity 


As discussed in the introduction and at the end of Section!?] Olderog defined a relation 
of strong bisimilarity on safe Petri nets. 


Definition 5. For S C x 5'2 a binary relation between the places of two safe nets 
Ni = {Si,Ti, Fi, Mi, Ai,ii), write B for the set of all linkings Z C B such that 7 ri(Z) 
is a reachable marking of Ni for i = 1,2 and B fl ( 7 ri(Z) x 7 r 2 (Z)) = Z. Now a strong 
bisimulation as defined in f2n\ can be seen as a structure preserving bisimulation of the 
form B. The nets iVi and N 2 are strongly bisimilar if Ai = A 2 and there is a linking Z 
in a strong bisimulation with Mi = 7 ri(Z) and M2 = 772 (Z). 


This reformulation of the definition from Ezl makes immediately clear that strong 
bisimilarity of two safe Petri nets implies their structure preserving bisimilarity. Conse¬ 
quently, the concurrency requirementj for the net semantics from Olderog, as formalised 
by Requirements (1) and (2) in Section IH holds for structure preserving bisimilarity. 
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7 Compositionality 


In this section I show that structure preserving bisimilarity is a congruence for the op¬ 
erators of CCSP, or, in other words, that these operators are compositional up to i±sp- 

Theorem 2. If Ni t±sp N2, a G Act and R C Act x Act, then a^fNl i±sp aj\fN2 and 
Rm{N2 ) i±sp Rm{N2). If N[ t±«p N\ and Nl then N[ ||AAiVf t±«p N\\\^N^ 


and, if the initial markings of Nl and Nl are nonempty sets, N\ -\-jgNI t± 


Ni+MNl- 


sp 

Proof. Let Ni = {Si,Ti, Fi, Mi, Ai,ii) for * = 1 , 2 , and let Si and Ui be the fresh place 
and transition introduced in the definition of aj^Ni. From Ni i±sp N2 it follows that 
Ai = A2 and hence Ai U {a} = A2U {a}. 

Let be an sp-bisimulation containing a linking k with Mi = '^ifk) for * = 1 , 2 . 
Let S§a '■= {hf with h = {(si, 52)}- Then h links the initial markings of aj^fNi 
and ajij-N2. Hence it suffices to show that is an sp-bisimulation. So suppose c< h 
and 7 ri(c) = *fi for some tiGTi. Then c=ft. and ti=ui. Take t2 '■= U2 and h := c := k. 


To show that Rj\f{N2) 




Rn{^2) it suffices to show that PS also is an sp- 


bisimulation between Rj^{N 2 ) and Rj\f{N 2 ), which is straightforward. 

Now let Nl = {Si, Tl,Fl,MlA\,e^ and Nl = {Sl, Tl, FI, Ml, Ali^) for *=1, 2. 
Let A ■.= A\r\ A\ = A 2 t^ A 2 . Create the disjoint union of Nl and Nl in the definition 
of Nl\\f,fNl by renaming all places s and transitions t of Nl into sm and t\\A, and all 
places s and transitions t of iVf into and A\\t. Let and PS^ be sp-bisimulations 
containing linkings fc* and kl respectively, with Ml=TTi{k’-) and Ml = ■Kifk''), for 
1=1, 2. Take:= {(/i*||a)-|-(a||/i’') | where/i*||yi:={(si||^, S 2 IU) 

I (si, S 2 ) and is defined likewise. Then 7ri((fc*||yi)-|- (^||fc’')) = 'Kilk ^)\\a + 
A\\T^i{}F) = Ml m is the initial marking of Nl\\j\fNl for 1 = 1, 2, so it suffices 

to show that PS is an sp-bisimulation. 

So suppose c<(h}\\A) + {A\\h^)G^ with G AN G PS^ and 7ri(c) = *fi for 
tl a transition of iV| Ha^IVi . Then c has the form (P || a) -I- (a ||c’') for P < hi G and 
c''<NgPSI andfi has the form (i) t{\\A foTt{ G Tl WAhl\{t\)^A, or(ii) (fj||A, 
for t\ G Tl and G Tl with G A, or (hi) A\\tl for e Tf with 

l\{tDfi A. In case (i) one has c’’ = 0 and tti (c*) = whereas in case (ii) tti (c*) = 
and 7ri(c’') = I only elaborate case (ii); the other two proceed likewise. Since 
is an sp-bisimulation, there are a transition with and 7r2(c*) = 

and a linking c* such that 7ri(c*) = t\ , tt 2 {c‘) = ^2 /i* := h’- — P + (f G PS^. 

Likewise, since PS"^ is an sp-bisimulation, there are a transition with = ^ 1 (^ 1 ) 

and 7r2(c’’) = and a linking <f such that 7ri(cr) = tl*, tt 2 {(T) = < 2 * and hP := 
N — c'' + cP G ■ Take t 2 '■= Allf^)- This transition has the same label as 

fi, tl, t\, tl and {t\ 

lU + A||*f; 

h := — c-|-c = (/i*||.4)-|-(.4||/i’') € PS. 

Let Nl = {S\,Tl, Fl,Ml,A\, Pf) and iVf=(5[, Tl, F[, Ml, A-, £-) forl=l, 2, with 
Ml and Ml nonempty plain sets, but this time I assume the nets to already be disjoint, 
and such that all the places and transitions added in the construction of Nl Nl 

are fresh. Let PS’’ and PS^ be as above. Without loss of generality I may assume that 
the linkings h in PS^ and PS'^ have the property that Tiilh) is a reachable marking for 


\\a,a\pI) = h. Moreover, 7 r 2 (c) = 7 r 2 (c')|U + yi|| 7 r 2 (c’') = 
filU + ^ 11*^2 = *^2- Take c := (c'|U) + (a||c’’). Then 7 ri(c) = h*, 712(0) = ^2* and 


Structure Preserving Bisimilarity 


17 


i = 1, 2, so that the restriction of Tiiih) to Ml or is a plain set. Define 

:= {h\ + {h\ ® k'') \ + fc'} 

{hi + (fc* (g) h\) \ hl + h\&^'^ Ah\% fc’-} U {fc' 0 fc’’} 

where := {((si, s^), (s^, S 2 )) I Now 7ri(fc*0fc’’) = 

■Ki{k}) X TTilk^) = Ml X Ml is the initial marking of Nl +Ar N^, so again it suffices 
to show that is an sp-bisimulation. 

So suppose c < hl + {hl^_ 0 fc’’) G with hl + hl^_€ ^ fc* and 7ri(c) = *fi 

for ti a transition of Nl +j^ N{. 

First consider the case that c < hi. Then c < hi < hi + h''_^_ G iiSK Since is an 
sp-bisimulation, there are a transition ^2 G with -^ 2 (^ 2 ) = -^ 1 (^ 1 ) and 7r2(c) = *t 2 , 
and a linking c such that 7ri(c) = fi*, 7r2(c) = ^ 2 * and hi + h'l — c + c € . Now 

^i + (/i+0fc’')—c+c = (/i*. — c+c) + (/i!^ 0 A: 2 )G,^+ because {hl — c+c) + h\&SS^. 

In the remaining case 7ri(c) contains a place (s^, s^) G M| x Mf, so ti must have 
either the form with % ^ K <'t\r\ Ml for some t\ G Tl, or with % ^ K < 
n M{ for some G T^. First assume, towards a contradiction, that fi = Then 
MlxK < =7ri(c) <7ri(/i*,) -|-7ri(/i5^ 0fc’'). Since the places in MlxK C Mix Ml 

are fresh, it follows that X iT < 0fc'') < 7ri(/i5^) x 7ri(fc’’) < TTi{h^j^) x Ml, 

implying that M| < tti and K < Ml —here I use that Ml^th^K and tti and 
Ml are plain sets. However, the condition hl_ ^ fc* implies that tti {hl_) ^ tti (fc*) = M{, 
yielding a contradiction. Hence ti is of the form 

Since 7ri(c) = = t{—K + (K x Ml), the linking c must have the form c,+c' 

with 7ri(c,) = t\ — K and 7ri(c') = K x Ml. As no place in t\ — K can be in 
Ml X Ml 0 7ri(/i5^ 0 fc’’), it follows that c, < hi. Likewise, as none of the places in 
K X Ml can be in TTi{hl), it follows that c' < hl^ 0 fc’’. Thus K x Ml = 7ri(c') < 
7ri(/i5^ 0 fc’’) < 7ri(/i5^) X 7ri(fc’’) < X Ml, implying K < 7ri(/i5^)—again 

using that iriihlj^) and Mf 0 are plain sets. The linking h\ 0 fc’’ has the property 
that its projection 0 k'') is a plain set. Since a subset c" of a such linking is 

completely determined by its first projection 7ri(c"), it follows that c' = c+ 0 k^ for 
the unique linking c+ < hl^ with tti (c+ ) = K. 

Now c, + C+ < hl + hl_€3§^ and 7ri(c, +c+) = (^t\—K) + K = *t\. Since is an 
sp-bisimulation, there are a transition with =£{{t\) and 7r2(c,-|-c+) = t^, 

and a linking c such that 7ri(c) = t\*, 7r2(c) = and hi + h’'j^ — {c, + c+) + c G . 
Let L :=7r2(c+). Then L since K L = ■K 2 {c+) < 'K 2 {h^+) < T^ 2 {k^) = and 
L = 7r2(c+) < 7r2(c, -|- c+) = t\. By Definition|3iV2 +jgN l has a transition with 

^(4) =4(4) =4(4) *4 = 'tl-L + lL X Ml)= 7r2(c. -bc+) -7r2(c+) -f 

(7r2(c+) X 7ri(fc’')) = 7r2(c, -f (c+ 0 fc’’)) = 7r2(c) and = t\ = 7r2(c). Moreover, 
7ri(c)=f(*=ff*. Finally,/i^-|-(/i(^0fc’’)—c-fc = (/i^—c,-|-c)-|-((/i(^—c+)0fc’') G 
since [hi — c, -f c') + {h}j^—c+) G and c+ < ^ kK 

The case supposing c < hi + {k^ 0 G follows by symmetry, whereas the 
case c<k{‘®k'^ proceeds by simplification of the other two cases. □ 
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8 Processes of nets and causal equivalence 


A process of a net N 029I9I19I is essentially a conflict-free, acyclic net together with 
a mapping function to N. It can be obtained by unwinding N, choosing one of the 
alternatives in case of conflict. It models a run, or concurrent computation, of N. The 
acyclic nature of the process gives rise to a notion of causality for transition brings in 
the original net via the mapping function. A conflict present in the original net is rep¬ 
resented by the existence of multiple processes, each representing one possible way to 
decide the conflict. This notion of process differs from the one used in process algebra; 
there a “process” refers to the entire behaviour of a system, including all its choices. 

Definition 6. A causal nejlis a net = (S, T, S', Mq, satisfying 

- S' is acyclic, i.e., Vx £ S U T.(a;,a;) ^ where S”*" is the transitive closure of 

{(a;,2/) I 9'(a;,y) > 0}, 

- and {f £ T I (f, u) £ is finite for all u £ T. 

A folding from a net [NT = (S, T, 3”, Mq, into a net N = {S, T, F, Mq, A, £) is a 

function piSuT^S'LlT with p(S) C S and pifT) C T, satisfying 

- A = A and = i{p{t)) for all f £ T, 

- p(Mo) = Mq, i.e. Mo(s) = nMo| for all s £ S', and 

- Vt £ T, s £ S. F{s, p{t)) = |p“^(s) n *f| A F{p{t), s) = |p“^(s) fl 

A pair !P = (N, p) of a causal net N and a folding of into a net is a process of N. 
T is called^uife if T is finite. 


Note that if N has bounded parallelism, than so do all of its processes. 


Definition 7. lIZTl A net AT is called a causal net of a net N if it is the first component 
of a process (AT, p) of N. Two nets and N 2 are causal equivalent, notation =caus, if 
they have the same causal nets. 


Olderog shows that his relation of strong bisimilarity is included in =caus Gt), and 
thereby establishes the concurrency requirement (1) from Section|4]for =caus- 

For = (S, T, 3”, !Mo,yi, £ 3 \f) a causal net, let Nf° := {s £ S | s* = 0}. The 
following result supports the claim that finite processes model finite runs. 


Proposition 2. lfT9l Theorems 3.5 and 3.6] M is a reachable marking of a net N iff N 
has a finite process (NT, p) with p(3Sf°) = M. Here p([N'°)(s) = |p“^(s) n Nf°|. 

^ A causal net I29I34I is traditionally called an occurrence net I9I19I33I . Here, following 1271 . 1 
will not use the terminology “occurrence net” in order to avoid confusion with the occurrence 
nets of I25I36I : the latter extend causal nets with forward branching places, thereby capturing 
all runs of the represented system, together with the branching structure between them. 

^ For H (- §, the multiset p{H) £]N® is defined by p{H){s) = |p“^(s) n77|. Using this, these 
conditions can be reformulated as p(*f) = *p(f) and p(f*) = p{t)‘■ 
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A process is not required to represent a completed run of the original net. It might just 
as well stop early. In those cases, some set of transitions can be added to the process 
such that another (larger) process is obtained. This corresponds to the system taking 
some more steps and gives rise to a natural order between processes. 

Definitions. Let T = ((S,‘J,S',Mo,A,£),p) and T' = 

be two processes of the same net. is a prefix of IP, notation IP^ < IP, and IP an 
extension of IP', iff S' C S, T' C T, Mj, = Mq, IT' = S'KS'x'J'' U T'xS') and 
p' = p\{§' U IT'). (This implies that A' = A and £' = i ['IT.) 

The requirements above imply that if IP' < IP, {x, y) € IT^ and y € S' U IT' then x € 
s' U T'. Conversely, any subset T' C IT satisfying (t,u) € IT'’ A u G 7' ^ t G 7' 
uniquely determines a prefix of IP. A process (Tsf, p) of a net N is initial if HSf contains 
no transitions; then p(IN°) is the initial marking of N. Any process has an initial prefix. 

Proposition 3. |[19] Theorem 3.17] If IP^ = ((S^, IT^, pi) (i e IN) is a 

chain of processes of a net N, satisfying IP^ < IPj for i < j, then there exists a unique 
process IP = ((S, T, IT, Mo,.A,.(), p) of N with S = UieiN and T = UieiN 
limit of this chain—such that IPi < IP for all i G IN. □ 

In II29I9I19I processes were defined without the third requirement of Definition|6] Goltz 
and Reisig CD observed that certain processes did not correspond with runs of systems, 
and proposed to restrict the notion of a process to those that can be obtained as the limit 
of a chain of finite processes lfT9] end of Section 3]. By 1(19] Theorems 3.18 and 2.14], 
for processes of finite nets this limitation is equivalent with imposing the third bullet 
point of Definition|6] My restriction to nets with bounded parallelism serves to recreate 
this result for processes of infinite nets. 

Proposition 4. Any process of a net can be obtained as the limit of a chain of finite 
approximations. 

Proof. Define the depth of a transition it in a causal net as one more than the maximum 
of the depth of all transitions t with tF^u. Since the set of such transitions t is finite, 
the depth of a transition it is a finite integer. Now, given a process IP, the approximation 
IPi is obtained by restricting to those transitions in IP of depth < i, together with all their 
pre- and postplaces, and keeping the initial marking. Clearly, these approximations form 
a chain, with limit IP. By induction on i one shows that IP^ is finite. For IPq this is trivial, 
as it has no transitions. Now assume IP^ is finite but IP^+i is not. Executing, in IP^+i, 
all transitions of IP^ one by one leads to a marking of IP^+i in which all remaining 
transitions of IP^+i are enabled. As these transitions cannot have common preplaces, 
this violates the assumption that IP^+i has bounded parallelism. □ 

9 A process-based characterisation of sp-bisimilarity 

This section presents an alternative characterisation of sp-bisimilarity that will be instru¬ 
mental in obtaining Theorems |4] and |5] saying that i±sp is a finer semantic equivalence 
than =caus and This characterisation could have been presented as the original def¬ 
inition; however, the latter is instrumental in showing that i±sp is coarser than and 
=occ, and implied by Olderog’s strong bisimilarity. 
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Definition 9. A process-based sp-bisimulation between two nets Ni and N 2 is a set ^ 
of triples (pi, !N, P 2 ) with (Tsf, pi) a finite process of Ni, for i = l,2, such that 

- ^ contains a triple (pi, AT, P 2 ) with N a causal net containing no transitions, 

- if (pi, Tsf, P 2 )€^% and (N\ Pi) with is {1, 2} is a fin. proc. of Ni extending (N, pi) 

then Nj with j:=3—i has aprocess p') > ([NT, pj) such that {p[,N', p’ 2 ) S 

Theorem 3. Two nets are sp-bisimilar iff there exists a process-based sp-bisimulation 
between them. 

Proof. Let be a process-based sp-bisimulation between nets Ni and 7 V 2 . Define 
.^ : = { {(pi (s), p 2 (s)) I s G TnT” } I (pi, N, p 2 ) £ ff}. Then is an sp-bisimulation; 

- Let c < I € and 7ri(c) = for ti S Ti. Then I = {(pi(s), P 2 (s) | s S 3\f°} 

for some (pi, ?sf, P 2 ) G Extend !N to by adding a fresh transition t and fresh 
places Si for s G Si and i S IN with ^ 1 (^ 1 , s) > i\ let ‘t = {s S | pi(s) S ’fi} 
and t* = {si I s S A i S IN AFi(fi, s) > i}. Furthermore, extend pi to p[ by 
Pi(t) := ti and p[{si) := s. Then ' p'i{i) = 'h = pi(*t) and pi(t)* = fi* = p'i(f), 
so (Nf, pf) is a process of iVi, extending (NT, pi). Since is a process-based sp- 
bisimulation, N 2 has a process (fH' ^p'f) > (NT, P 2 ) such that , p'f) G Sf. 

Take ^2 := / 02 (t)- Then4(f2) = = ^ 1 (^ 1 ) and c = {(pi(s), p 2 (s) | s S’t}, 

so 7r2(c) = {P 2 (s) I s G’t} = p 2 Ct) = P 2 (*t) = *P 2 (t) = 't 2 - Take c' := 
{(p'i(s),P 2 (s)) I s G t*}. Then 7ri(c') = fi*, 7r2(c') = f 2 * and P := I — c-\- c' = 

{(p'(s),p^(s)) I s G X°-n+f} = {(pi(s),p'2(s)) I S G G 

- The other clause follows by symmetry. 

Since contains a triple (pi, NT, P 2 ) with NT a causal net containing no transitions, 
contains a linking / := {(pi(s), P 2 (s)) | s G such that Tri{l) = pi(7Nf°) = Mi for 

i = 1,2, where Mi is the initial marking of Ni. Since (NT, pi) is a process of Ni, Ni 

must have the the same type as NT, for z = 1, 2. It follows that t±sp N 2 . 

Now let be an sp-bisimulation between nets A^i and N 2 . Let ^ := {(pi, N, p 2 ) | 
(3\f, Pi) is a finite process of Ni {i = 1, 2) and {(pi(s), p 2 (s)) | s G Nf°} G Then 
is a process-based sp-bisimulation. 

- SS must contain a linking I with Tri{l) = Mi for z = 1, 2, where Mi is the initial 
marking of Np, let I = {(s^, S 2 ) \ k G K}. Let Nf be a causal net with places 
for k G K and no transitions, and define pi for z = 1,2 by pi(s^) = sf for k G K. 
Then (Nf, pi) is an initial process of (z = 1, 2) and (pi ,'N, P 2 ) G Sf. 

- Suppose (pi, NT, P 2 ) G and (7\f, pf) is a finite process of Ni extending (NT, pi). 

(The case of a finite process of N 2 extending (N, pi) will follow by symmetry.) 
Then I := {(pi (s), p 2 (s)) | s G } G^. Without loss of generality, I may assume 
that extends 3\f by just one transition, t. The definition of a causal net ensures that 

•f C NT, and the definition of a process gives Pi(*t) = *fi, where ti := Pi(t). Let 
c := {(pi(s), p 2 (s)) I s G *t}. Then c < I and 7ri(c) = pi(*t) = pi(*t) = *fi. Since 
^ is an sp-bisimulation, there are a transition t 2 with i{t 2 )=i{ti) and 7r2(c) = *^ 2 , 
and a linking c' such that 7ri(c') = fi*, 7r2(c') = ^ 2 * and I' := I — c c' G 
The definition of a process gives Pi(t*) = fi*. This makes it possible to extend 
P 2 to P 2 SO that p 2 (t) := ^ 2 , = h' and c' = {{p'i{s), P 2 {s)) \ s G i*}. 

Moreover, P 2 (*t) = P 2 (*t) = t^ 2 {c) = *^ 2 - Thus (Nf, pf) is a finite process of N 2 
extending (3\r,p2). Furthermore, {(p^js), p' 2 (s)) | s G Nf'°} = {(p;(s), p^(s)) | 
s G Nf° — ’t -I- t*} = ( — c -I- c' G Hence (p'^, P 2 ) G fS. □ 
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10 Relating sp-bisimilarity to other semantic equivalences 

In this section I place sp-bisimilarity in the spectrum of existing semantic equivalences 
for nets, as indicated in Figure [T] 

10.1 Place bisimilarity 

The notion of a place bisimulation, defined in H], can be reformulated as follows. 

Definition 10. A place bisimulation is a structure preserving bisimulation of the form 
B (where B is defined in Section^. Two nets Ni = Fi, Mi, £i) (i = 1, 2) are 

strongly bisimilar, notation Ni N 2 , if Ai = A 2 and there is a linking I in a place 
bisimulation with Mi = 7ri(/) and M 2 = 1 ^ 2 ( 1 )■ 

It follows that Riph is finer than i±sp, in the sense that place bisimilarity of two nets 
implies their structure preserving bisimilarity. 

10.2 Occurrence net equivalence 

Definitions of the unfolding for various classes of Petri nets into an occurrence net 
appear in 025I35I36I16I7I23IT^ —I will not repeat them here. In all these cases, the 
definition directly implies that if an occurrence net N results from unfolding a net N 
then N is safe and there exists a folding of JST into N (recall Definition |6]l satisfying 

- if M is a reachable marking of !N, and f G T is a transition of N with < p(M) 
then there is a t G T with p(t) = t. 

Proposition 5. If such a folding from to N exists, then t±sp N. 

Proof. The set of linkings := {{(s, p(s)) | s G M} | M a reachable marking of JST} 
is an sp-bisimulation between 3Sf and N. Checking this is trivial. □ 

Two nets A^i and N 2 are occurrence net equivalent IfT^ if they have isomorphic unfold¬ 
ings. Since isomorphic nets are strongly bisimilar EH and hence structure preserving 
bisimilar, it follows that occurrence net equivalence between nets is finer than structure 
preserving bisimilarity. 

In El it is pointed out that the strong bisimilarity of Olderog “is not compatible with 
unfoldings”; they show two nets that have isomorphic unfoldings, yet are not strongly 
bisimilar. However, when the net N is safe, the sp-bisimulation displayed in the proof of 
Proposition0is in fact a strong bisimulation, showing that each net is strongly bisimilar 
with its unfolding. This is compatible with the observation of El because of the non¬ 
transitivity of strong bisimilarity. 
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10.3 Causal equivalence 

Causal equivalence is coarser than structure preserving bisimilarity. 

Theorem 4. If i±sp N 2 for nets 7Vi and N 2 , then =caus ^ 2 - 

Proof By Theorem [3] there exists a process-based sp-bisimulation between iVi and 
N 2 . Sf must contain a triple 3Nf°, P 2 ) with a causal net containing no transitions. 
So (!N°, pf) and P 2 ) are initial processes of and N 2 , respectively. The net 
contains isolated places only, as many as the size of the initial markings of and A^ 2 - 
Let Tsf be a causal net of A^i. I have to prove that is also a causal net of N 2 . 
Without loss of generality I may assume that 3\f° is a prefix of [)Sf, as being a causal net 
of a given Petri net is invariant under renaming of its places and transitions. 

So has a process Ti = (Jf,pi). By Proposition 01 Ti is the limit of a chain 
< ... of finite processes of A^i. Moreover, for !P° one can take (TnI^, p^). 
Let ‘y\ = (3\r, p\) for i G M. By induction on i G M, it now follows from the properties 
of a process-based sp-bisimulation that N 2 has processes such 

that (TsT, p\) < S Using Proposition |3l the limit 

IP2 = P 2 ) of this chain is a process of N2, contributing the causal net Tsf. □ 

10.4 History preserving bisimilarity 

The notion of history preserving bisimilarity was originally proposed in 1^ under 
the name behavior structure bisimilarity, studied on event structures in 03, and first 
defined on Petri nets, under to the individual token interpretation, in JS], under the name 
fully concurrent bisimulation equivalence. 

Definition 11. |l2l Let Ni = (Si, 7i, S'i, {i = 1, 2) be two causal nets. An 

order-isomorphism between them is a bijection /3 : Ti — “72 such that Ai = A2, 
^2(/3(t)) = ^i{t) for all t G 7i, and t 7\ u iff /3(f) 7^ (3{u) for all t,u G Ti. 

Definition 12. llU A fully concurrent bisimulation between two nets Ni and N 2 is a 
set of triples ((pi, /3, (3Sf2, pf)) with (3\fi, pi) a finite process of Ni, for / = 1, 2, 

and /3 an order-isomorphism between 3Sfi and !N 2 , such that 

- contains a triple ((pi, /3, (3Sf2, P 2 )) with Tsfi containing no transitions, 

- if (!Pi, /3, 7 * 2 ) Gfi and !P( with i G {1, 2} is a fin. proc. of Ni extending 7i, then Nj 
with j := 3—i has a process 7'j > 7j such that fP'i, P', 7 * 2 ) € for some /3' 3 /3. 

Write A^i ss/j N 2 or A^i ss/cb N 2 iff such a bisimulation exists. 

It follows immediately from the process-based characterisation of sp-bisimilarity in 
Section|9]that fully concurrent bisimilarity (or history preserving bisimilarity based on 
the individual token interpretation of nets) is coarser than sp-bisimilarity. 

Theorem 5. If Ni t±sp N 2 for nets Ni and N 2 , then Ni N 2 . 


Proof. A process-based sp-bisimulation is simply a fully concurrent bisimulation with 
the extra requirement that /3 must be the identity relation. □ 
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11 Inevitability for non-reactive systems 


A run or execution of a system modelled as Petri net N can be formalised as a path of 
N (defined in Section O or a process of N (defined in Section [Sll. A path or process 
representing a complete run of the represented system—one that is not just the first 
part of a larger run—is sometimes called a complete path or process. Once a formal 
definition of a complete path or process is agreed upon, an action b is inevitable in a net 
N iff each complete path (or each complete process) of N contains a transition labelled 
b. In case completeness is defined both for paths and processes, the definitions ought to 
be such that they give rise to the same concept of inevitability. 

The definition of which paths or processes count as being complete depends on 
two factors: (1) whether actions that a net can perform by firing a transition are fully 
under control of the represented system itself or (also) of the environment in which it 
will be running, and (2) what type of progress or fairness assumption one postulates to 
guarantee that actions that are due to occur will actually happen. In order to address (2) 
first, in this section I deal only with nets in which all activity is fully under control of the 
represented system. In Section[T4]l will generalise the conclusions to reactive systems. 

When making no progress or fairness assumptions, a system always has the option 
not to progress further, and all paths and all processes are complete—in particular initial 
paths and processes, containing no transitions. Consequently, no action is inevitable in 
any net, so each semantic equivalence respects inevitability. 

When assuming progress, but not justness or fairness, any infinite path or process is 
complete, and a finite path or process is complete iff it is maximal, in the sense that it has 
no proper extension. In this setting, interleaving bisimilarity, and hence also each finer 
equivalence, respects inevitability. The argument is that an interleaving bisimulation 
induces a relation between the paths of two related nets 7Vi and N 2 , such that 

- each path of Ni is related to a path of N 2 and vice versa, 

- if two paths are related, either both or neither contain a transition labelled b, 

- if two paths are related, either both or neither of them are complete. 

In the rest of this paper I will assume justness, and hence also progress, but not 
(weak or strong) fairness, as explained in Section [T~4l In this setting a process is just or 
completJ^ iff it is maximal, in the sense that it has no proper extension. 




Example 3. The net depicted on the right has a 
complete process performing the action a infinitely 
often, but never the action b. It consumes each to¬ 
ken that is initially present or stems from any firing of the transition Hence b is not 
inevitable. This fits with the intuition that if a transition occurrence is perpetually en¬ 
abled it will eventually happen—but only when strictly adhering to the individual token 
interpretation of nets. Under this interpretation, each firing of using a particular token 
is a different transition occurrence. It is possible to schedule an infinite sequence of as 
in such a way that none such transition occurrence is perpetually enabled from some 
point onwards. 


* The term “complete” is meant to vary with the choice of a progress or fairness assumption; 
when assuming only justness, it is set to the value “just”. 
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When adhering to the collective token interpretation of nets, the action b could be 
considered inevitable, as in any execution scheduling as only, transition is perpetually 
enabled. Since my structure preserving bisimulation fits within the individual token 
interpretation, here one either should adhere to that interpretation, or restrict attention 
to safe nets, where there is no difference between both interpretations. 


12 History preserving bisimilarity does not respect inevitability 



Fig. 5. A net in which the action b is not inevitable 


Consider the safe net iVi depicted in Figure |5] and the net N 2 obtained from 7Vi by 
exchanging for any transition (oO) the preplace sl_i for s^. The net N 2 performs in 
parallel an infinite sequence of a-transitions (where at each step i>0 there is a choice 
between t\ and t^) and a single 6-transition (where there is a choice between for i>0). 
In N 2 the action b is inevitable. In Ni, on the other hand, b is not inevitable, for the run 
of Ni in which t\ is chosen over for all *>0 is complete, and cannot be extended 
which a 6-transition. Thus, each semantic equivalence that equates and N 2 fails to 
respect inevitability. 

Theorem 6. Causal equivalence does not respect inevitability. 

Proof. Ni =caus N 2 , because both nets have the same causal nets. One of these nets is 
depicted in Figure|6j the others are obtained by omitting the 6-transition, and/or omitting 
all but a finite prefix of the a-transitions. □ 
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Fig. 6. A causal net of Ni and N 2 


Theorem 7. History preserving bisimilarity does not respect inevitability. 

Proof. Recall that and N 2 differ only in their flow relations, and have the same set 
of transitions. I need to describe a fully concurrent bisimulation between and iV 2 . 

consists of a set of triples, each consisting of a process of iVi, a related process of 
N 2 , and an order isomorphism between them. First of all I include all triples (iPi, /3, IP 2 ) 
where CPi is an arbitrary process of A^i, 7 2 is the unique process of N 2 that induces the 
same set of transitions as fi, and /? relates transition of Ti and IP 2 when they map 
to the same transition of Ni {i=l, 2). Secondly, I include all triples (iPi, /3, 'J’ 2 ) where 
IP 2 is an arbitrary process of N 2 inducing both and for some k>0, and !Pi is 
any process of iVi that induces the same transitions as IP 2 except that, for some h>k 
the induced transition if present, is replaced by and is replaced by t\. (/3 
should be obvious.) It is trivial to check that the resulting relation is a fully concurrent 
bisimulation indeed. □ 


13 Structure preserving bisimilarity respects inevitability 

Definition 13. A net AT is called a complete causal net of a net N if it is the first com¬ 
ponent of a maximal process (Tsf, p) of N. Two nets iVi and N 2 are complete causal net 
equivalent, notation =cc, if they have the same complete causal nets. 

Since the causal nets of a net N are completely determined by the complete causal 
nets of N, namely as their prefixes, iVi =cc N 2 implies iVi =caus. ^ 2 - It follows 
immediately from the definition of inevitability that =cc respects inevitability. Thus, to 
prove that t±sp respects inevitability it suffices to show that t±sp is finer than =cc- 

Theorem 8. If tisp N 2 for nets Ni and N 2 , then =cc A^ 2 - 

Proof. Suppose Ni i±spN 2 . By Theorem^there exists a process-based sp-bisimulation 
Si between Ni and N 2 . M must contain a triple [N*', P 2 ) with AT a causal net 
containing no transitions. So p\) and ()Sf°, p®) initial processes of Ni and N 2 , 
respectively. The net 3\f° contains isolated places only. 

Let 7\f be a complete causal net of A^i. I have to prove that 7\f is also a complete 
causal net of N 2 . Without loss of generality I may assume that is a prefix of [NT, as 
being a complete causal net of a given Petri net is invariant under renaming of its places. 

So has a complete process fi = (7\f, pi). By Proposition IH IPi is the limit 
of a chain < ... of finite processes of A^i. Moreover, for one 
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can take ( 3 Sf°, p\). Let = (DsT, p\) for i G IN. By induction on i G IN, it now fol¬ 
lows from the properties of a process-based sp-bisimulation that N2 has processes 
such that (KpD < and (pl+\3^^+^ G 

Using Proposition [3 the limit IP2 = (Nf, P2) of this chain is a process of iV2. It remains 
to show that iP2 is complete. 

Towards a contradiction, let ‘J'2u = P2u) be a proper extension of ‘J’2, say with 
just one transition, u. Then *u C N”. By the third requirement on occurrence nets of 
Definition | 6 ] their are only finitely many transitions t with (f,rt) G Hence one 
of the finite approximations of Nf contains all these transitions. So *u C 
Let, for all i > k, P2u) be the finite prefix of 'J’2u that extends IP2 with 

the single transition u. Then for all i > k, and the limit of the chain 

‘P 2 U ^ "^ 2 ^^ < ... is 72u- By induction on z G IN, it now follows from the properties of 
a process-based sp-bisimulation that A^i has processes = (^u^Piu) for all i > k, 

such that (pIu^Kc^pD e Pi) < Pin) and (Kc, p\J < 

Using Proposition [3 the limit Tiu = (^u, Piu) of this chain is a process of Ni. It 
extends Ti with the single transition u, contradicting the maximality of Ti. □ 


14 Inevitability for reactive systems 

In the modelling of reactive systems, an action performed by a net is typically a syn¬ 
chronisation between the net itself and its environment. Such an action can take place 
only when the net is ready to perform it, as well as its environment. In this setting, an ad¬ 
equate formalisation of the concepts of justness and inevitability requires keeping track 
of the set of actions that from some point onwards are blocked by the environment—e.g. 
because the environment is not ready to partake in the synchronisation. Such actions are 
not required to occur eventually, even when they are perpetually enabled by the net it¬ 
self. Let’s speak of a U -environment if Y is this set of actions. In SectionfTTIl restricted 
attention to 0 -environments, in which an action can happen as soon as it is enabled 
by the net in question. In ifTSl a path is called Y -just iff, when assuming justness, it 
models a complete run of the represented system in a F-environment. The below is a 
formalisation for this concept for Petri nets under the individual token interpretation. 

Definition 14. A process of a net is Y-just or Y-complete it each of its proper exten¬ 
sions adds a transition with a label in Y. 

Note that a just or complete process as defined in Section[TT]is a 0 -just or 0 -complete 
process. In applications there often is a subset of actions that are known to be fully 
controlled by the system under consideration, and not by its environment. Such actions 
are often called non-blocking. A typical example from process algebra M is the inter¬ 
nal action r. In such a setting, Y -environments exists only for sets of actions F C 
where is the set of all non-non-blocking actions. 

A process of a net is complete if it models a complete run of the represented system 
in some environment. This is the case iff it is F-complete for some set F C which 
is the case iff it is “^-complete. 

In 041 . non-blocking is a property of transitions rather than actions, and non- 
blocking transitions are called hot. Transitions that are not hot are cold, which inspired 
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my choice of the latter ^ above. In this setting, a process IP = (DSf, p) is complete iff 
the marking p(IN^) enables cold transitions only ll34l . 

Definition 15. A action bisY-inevitable in a net if each Y -complete process contains 
a transition labelled b. A semantic equivalence « respects Y-inevitability if whenever 
Ni Ri N 2 and b is F-inevitable in TVi, then b is F-inevitable in N 2 . It respects in¬ 
evitability iff it respects Y -inevitability for each F C 

In Section [ 12 ] it is shown that =caus and do not respect 0-inevitability. From this 
it follows that they do not respect inevitability. In Section [13] it is shown that i±sp 
does respect 0-inevitability. By means of a trivial adaptation the same proof shows that 
i±sp respects F-inevitability, for arbitrary Y. All that is needed is to assume that the 
transition u in that proof has a label ^ Y. Thus tisp respects inevitability. 

15 Conclusion 

This paper proposes a novel semantic equivalence for current systems represented as 
Petri nets; structure preserving bisimilarity. As a major application—the one that in¬ 
spired this work—it is used to establish the agreement between the operational Petri net 
semantics of the process algebra CCSP as proposed by Olderog, and its denotational 
counterpart. An earlier semantic relation used for this purpose was Olderog’s strong 
bisimilarity on safe Petri nets, but that relation failed to be transitive. I hereby conjec¬ 
ture that on the subclass of occurrence nets, strong bisimilarity and structure preserving 
bisimilarity coincide. If this it true, it follows, together with the observations of Sec¬ 
tion [6] that strong bisimilarity is included in structure preserving bisimilarity, and of 
Section 110.21 that each safe net is strongly bisimilar with its unfolding into an occur¬ 
rence net, that on safe nets structure preserving bisimilarity is the transitive closure of 
strong bisimilarity. 

Section [L2] proposes nine requirements on a semantic equivalence that is used for 
purposes like the one above. I have shown that structure preserving bisimilarity meets 
eight of these requirements and conjecture that it meets the remaining one as well. 

- It meets Requirement 1, that it respects branching time, as a consequence of Theo- 
rem|5| saying that it is finer than history preserving bisimilarity, which is known to 
be finer than interleaving bisimilarity. 

- It meets Requirement 2, that it fully captures causality and concurrency (and their 
interplay with branching time)j| also as a consequence of Theorem|5] 

- It meets Requirement 3, that it respects inevitability (under the standard interpreta¬ 
tion of Petri nets that assumes justness but not fairness),Elas shown in Section [13] 

- It meets Requirement 4, that it is real-time consistent, as a result of Theorem[5] 

- I conjecture that it meets Requirement 5, that it is preserved under action refinement. 

- It meets Requirement 6, that it is finer than causal equivalence, by Theorem]?] 

- It meets Requirement 7, that it is coarser than =occ, as shown in Section [l0.2l 

- It meets Requirement 8, that it is a congruence for the CCSP operators, by Thm. [2] 

- It meets Requirement 9, that it allows to establish agreement between the opera¬ 
tional and denotational interpretations of CCSP operators, since it is coarser than 
Olderog’s strong bisimilarity, as shown in Section[6] 

^ when taking the individual token interpretation of nets, or restricting attention to safe ones 
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Moreover, structure preserving bisimilarity is the first known equivalence that meets 
these requirements. In fact, it is the first that meets the key Requirements 3, 4, 7 and 9. 

Acknowledgement My thanks to Ursula Goltz for proofreading and valuable feedback. 
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